Is it possible to allow users to update just 1 field in AD?

1. She needs to lookup a user, to see what their login ID is (it hasto match what is in our Cisco VOIP, I'm told). And then ...2. She needs to input a value in the "IP Phone" field. (apparently,the Cisco software does an LDAP lookup of this field).

Is it possible to delegate the right to change just that one field toa user? (I think not) We don't want her to inadvertently delete auser, or change anything else. We're just tired of her calling thehelp desk to do simple lookups, or enter a phone number that sheshould (might?) be able to do herself.

Mind you, I did an export of all user logins, which was supposed to befed into the Cisco system. So why they think the logins don't match, Idon't know. And don't have time (or inclination) to deal with.

We've done something similar with LAPS and allowing certain staffmembers to read the local Administrator password from AD on theirmachines - we created a limited account with specific rights toperform the task and set up a web page that has that account performthe task.

Kurt

On Mon, Oct 16, 2017 at 5:44 AM, Michael Leone wrote:> I have a user, who needs to do 2 things in AD.>> 1. She needs to lookup a user, to see what their login ID is (it has> to match what is in our Cisco VOIP, I'm told). And then ...> 2. She needs to input a value in the "IP Phone" field. (apparently,> the Cisco software does an LDAP lookup of this field).>> Is it possible to delegate the right to change just that one field to> a user? (I think not) We don't want her to inadvertently delete a> user, or change anything else. We're just tired of her calling the> help desk to do simple lookups, or enter a phone number that she> should (might?) be able to do herself.>> Mind you, I did an export of all user logins, which was supposed to be> fed into the Cisco system. So why they think the logins don't match, I> don't know. And don't have time (or inclination) to deal with.>> Thanks for any advise.> Forum info: http://www.activedir.org> Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxxForum info: http://www.activedir.orgProblems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

I typically use the PowerShell method so that all access rule changes like this are logged in our internal code repos.

You do not need to give the person any other access other than to write to that property for "Descendent User Objects". Bonus points, limit this to specific OUs with user accounts if you can.

-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Michael LeoneSent: Monday, October 16, 2017 05:44To: ntsysadm@xxxxxxxxxxxxxxxx; ActiveDir Mailing List Subject: [ActiveDir] Is it possible to allow users to update just 1 field in AD?

I have a user, who needs to do 2 things in AD.

1. She needs to lookup a user, to see what their login ID is (it hasto match what is in our Cisco VOIP, I'm told). And then ...2. She needs to input a value in the "IP Phone" field. (apparently,the Cisco software does an LDAP lookup of this field).

Is it possible to delegate the right to change just that one field toa user? (I think not) We don't want her to inadvertently delete auser, or change anything else. We're just tired of her calling thehelp desk to do simple lookups, or enter a phone number that sheshould (might?) be able to do herself.

Mind you, I did an export of all user logins, which was supposed to befed into the Cisco system. So why they think the logins don't match, Idon't know. And don't have time (or inclination) to deal with.